b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                           The Computer Security Incident\n                            Response Center Is Operating\n                             As Intended, Although Some\n                            Enhancements Can Be Made\n\n\n\n                                         September 2005\n\n                              Reference Number: 2005-20-143\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Web Site          | http://www.tigta.gov\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 30, 2005\n\n\n MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n\n FROM:                       Pamela J. Gardiner\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Computer Security Incident Response Center\n                             Is Operating As Intended, Although Some Enhancements Can Be Made\n                             (Audit # 200520007)\n\n This report presents the results of our review of the effectiveness of the Internal Revenue\n Service\xe2\x80\x99s (IRS) Computer Security Incident Response Center (CSIRC) at preventing, detecting,\n and responding to computer security incidents targeting IRS computers and data. As a part of its\n mission, the CSIRC provides assistance and guidance in incident response and provides a\n centralized approach to incident handling across the IRS enterprise.\n\n Synopsis\n The CSIRC is effective at preventing, detecting, and responding to computer security incidents.\n In particular, it:\n     \xe2\x80\xa2    Manages entry points into the IRS computer architecture to ensure computer networks are\n          secure against external intruders.\n     \xe2\x80\xa2    Monitors entry points into the IRS computer architecture and major connections within\n          the computer network to ensure suspicious activities are detected and reviewed.\n     \xe2\x80\xa2    Reports and helps investigate computer and physical security incidents detected in the\n          IRS.\n     \xe2\x80\xa2    Identifies and refers Internet misuse by employees to appropriate authorities.\n\x0c                   The Computer Security Incident Response Center Is Operating\n                     As Intended, Although Some Enhancements Can Be Made\n\n\n\n    \xe2\x80\xa2   Implements processes to rate security patches1 related to software used by the IRS and\n        inform system administrators of the vulnerabilities involved.\n    \xe2\x80\xa2   Performs vulnerability scanning along with penetration tests of IRS computers.\nWe identified two areas where improvements could be made. First, the CSIRC has been\noperating under draft patch management procedures since November 2003. The lack of formal\nguidance can hinder the CSIRC and system administrators in the Modernization and Information\nTechnology Systems organization in timely installing software patches on all appropriate\ncomputers. As an example, the draft guidance requires the CSIRC to conduct periodic follow-up\nto ensure patches are installed. We found the CSIRC did not regularly perform follow-up\nactivities on patches. The installation of patches is critical in deterring unauthorized accesses\nand minimizing disruptions of service from internal and external threats to known weaknesses.\nThe importance of timely installing patches can be illustrated when the IRS did not timely install\npatches on all computers that were vulnerable to the SASSER worm.2 About 19 days after\nnotification about the patch, the SASSER worm had spread throughout the IRS\xe2\x80\x99 internal\ncomputer network. The IRS believed it sustained several million dollars in lost productivity and\npotential losses of about $50 million in tax assessments and collections.\nSecond, problems identified during vulnerability scans and penetration tests were not formally\nprovided to the business owners, and corrective actions were not documented in Plans of Action\nand Milestones (POA&M)3 as required by the Federal Information Security Management Act\n(FISMA).4 In addition, unless requested by the business unit, the CSIRC did not always follow\nup to ensure corrective actions were implemented. As a result, vulnerabilities may not be\ncorrected or sufficiently reduced.\n\nRecommendations\nWe recommended the Chief, Mission Assurance and Security Services, ensure the draft patch\nmanagement guidance is finalized, ensure business units include security weaknesses identified\nfrom vulnerability scans and penetration tests in POA&Ms, and implement procedures to\n\n\n1\n  Vendors issue software security patches to correct flaws identified after their software has been released to the\npublic.\n2\n  The SASSER worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\ncomputers and transferred additional exploit code to the computers. It also probed for other computers to infect.\nThis worm rendered computers inoperable.\n3\n  A POA&M is a tool that identifies tasks that need to be accomplished and includes documenting resources\nrequired to accomplish the element of the plan, any milestones in meeting the tasks, and scheduled completion dates\nfor the milestones. The purpose of POA&Ms is to assist agencies in identifying, assessing, prioritizing, and\nmonitoring the progress of corrective efforts for security weaknesses found in programs and systems.\n4\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                                                  2\n\x0c                 The Computer Security Incident Response Center Is Operating\n                   As Intended, Although Some Enhancements Can Be Made\n\n\n\nformally share results with the head of the requesting office and routinely follow up to ensure\ncorrective actions are taken and effective.\n\nResponse\nThe Chief, Mission Assurance and Security Services, concurred with our findings and\nrecommendations, which will further assist the CSIRC in preventing, detecting, and responding\nto computer security incidents. The Mission Assurance and Security Services organization will\nfinalize the patch management guidance manual, document vulnerability assessment and\npenetration test findings in a memorandum to the respective FISMA project office and the\nExecutive in charge, ensure planned corrective actions to findings are reported through the\nFISMA process, and re-run scans and penetration tests to ensure vulnerabilities were effectively\nreduced. Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                   3\n\x0c                       The Computer Security Incident Response Center Is Operating\n                         As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 2\n          Firewall Administration and Management Were Effective ..........................Page 2\n          Intrusion Detection Systems Were Effective................................................Page 3\n          Incident Response, Recovery, and Reporting Were Effective......................Page 4\n          Internet Misuse Monitoring Was Effective...................................................Page 5\n          Security Patches Were Properly Identified and Evaluated\n          for Applicability, but Follow-Up Is Needed to Ensure\n          Patches Are Timely Installed ........................................................................Page 6\n                    Recommendation 1:........................................................Page 8\n\n          Vulnerability Scanning and Penetration Testing Were\n          Performed, but Follow-Up Was Not Always Conducted .............................Page 8\n                    Recommendations 2 through and 4: ...................................Page 10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 14\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 15\n\x0c                The Computer Security Incident Response Center Is Operating\n                  As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                      Background\n\nThe Internal Revenue Service\xe2\x80\x99s (IRS) Computer Security Incident Response Center (CSIRC)\nwas designed to ensure the IRS has a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d who are organized,\ntrained, and equipped to identify, contain, and eradicate cyber threats targeting IRS computers\nand data. The CSIRC provides a single clearinghouse of information and centralized pool of\nhighly specialized expertise to detect and respond to computer attacks against the IRS.\nThe activities under the CSIRC program include:\n   \xe2\x80\xa2   Firewall Administration and Management.\n   \xe2\x80\xa2   Intrusion Detection.\n   \xe2\x80\xa2   Incident Response, Recovery, and Reporting.\n   \xe2\x80\xa2   Internet Misuse Monitoring.\n   \xe2\x80\xa2   Security Patch Identification and Applicability to the IRS.\n   \xe2\x80\xa2   Vulnerability Scanning and Penetration Testing.\nThis review was performed at the IRS\xe2\x80\x99 CSIRC National Headquarters in New Carrollton,\nMaryland, during the period December 2004 through May 2005. The audit was conducted in\naccordance with Government Auditing Standards. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                           Page 1\n\x0c                    The Computer Security Incident Response Center Is Operating\n                      As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                       Results of Review\n\nFirewall Administration and Management Were Effective\n\nThe primary function of firewalls is to keep a computer or computer network secure from\nintruders. Firewalls can be hardware or software and are typically installed at entry points into a\nnetwork. They evaluate all traffic coming into and leaving the network based on configurations\nestablished by the organization. The effectiveness of firewalls depends on the placement,\nconfigurations, and configuration change management process of the firewalls.\nThe IRS installed firewalls at all connection points from the Internet and business partners1 into\nthe IRS\xe2\x80\x99 internal computer network. At the highest risk connections, a two-tier firewall scheme\nwas implemented. The two-tier approach leverages the two firewall technologies2 to more\ncompletely protect each connection point. This approach significantly reduces the likelihood of\nan improper access because a configuration error or security flaw on one of the firewalls is not\nlikely to exist on the other firewall.\nOverall, the configurations on the firewalls we\nreviewed were effective at protecting the IRS\xe2\x80\x99 internal    Overall, the configurations on the\ncomputer network. We identified configuration errors          firewalls we reviewed were\n                                                            effective at protecting the IRS\xe2\x80\x99\nwhere disallowed traffic could have been allowed to           internal computer network.\npass through the firewall. For example, one firewall\nerroneously allowed all external users to have full\naccess to a portion of the IRS\xe2\x80\x99 internal computer network. However, the two-tier firewall\napproach prevented successful attacks because the second firewall did not contain the same\nconfiguration error. The CSIRC immediately corrected these weaknesses when we brought them\nto its attention.\nIn addition, the CSIRC has implemented a change management process for firewall\nconfigurations that is web based and implements all requirements from the Department of the\nTreasury security directives. Changes to the firewalls are installed when necessary by the\n\n\n\n1\n  Business partners refer to those organizations that need connectivity to do business with or for the IRS. Examples\ninclude financial institutions and other Federal Government agencies.\n2\n  The two firewall technologies are packet filtering and application firewalls. Packet-filtering firewalls review the\nsource and destination addresses of the network traffic along with the type of traffic to a set of rules to decide\nwhether the traffic should be allowed to proceed intact. Application firewalls stop all traffic coming to the firewall\nand repackage the traffic data for delivery on the other side while reviewing its contents. While this is more secure,\nit uses more resources of the firewall computer.\n                                                                                                              Page 2\n\x0c                   The Computer Security Incident Response Center Is Operating\n                     As Intended, Although Some Enhancements Can Be Made\n\n\n\nCSIRC staff and contractors and require approval by the CSIRC manager before implementation.\nOur review found this process is working as intended.\nThe IRS is moving the responsibility for maintaining firewalls from the CSIRC to the\nInformation Technology Service Enterprise Networks organization.3 This change is to be in\nplace at the beginning of Fiscal Year 2006.\n\n\nIntrusion Detection Systems Were Effective\n\nIntrusion detection systems provide an organization the ability to monitor the activity of its\ncomputer network and look for suspicious or unauthorized actions from both external and\ninternal threats. The Federal Information Security Management Act (FISMA)4 specifically\nrequires Federal Government agencies to develop procedures to detect, report, and respond to\nsecurity computer incidents. Similar to the firewall architecture, an effective detection program\ndepends on the placement, configuration, and maintenance of intrusion detection sensors. The\nsensors record traffic data, and the servers collect all data from the sensors and evaluate the\ntraffic for patterns or characteristics of known attack scenarios.\nThe placement of sensors throughout the IRS\xe2\x80\x99 internal computer network was sufficient and\neffective. Sensors were deployed at perimeter connections of the computer network and at the\nmajor internal network connections at the campuses5 and Computing Centers.6 In addition,\nsensors were installed on many of the major servers throughout the IRS infrastructure. The\nCSIRC plans to add more sensors throughout the network as soon as funding is available, which\nwill allow the CSIRC to more completely monitor traffic moving within the IRS campus\nnetworks.\n                                          The sensors we reviewed were well configured,\n   Intrusion detection sensors were       maintained, and monitored by the CSIRC staff and\n    well configured, maintained, and      contractors. The sensors were using up-to-date\n      monitored by the CSIRC staff\n                                          configurations to detect known cyber attacks and\n    24 hours per day, 7 days a week.\n                                          automatically sent alerts to the CSIRC staff for analysis\n                                          as questionable incidents were detected. The CSIRC\nfacility is staffed 24 hours per day, 7 days a week, using both contractors and employees.\n\n3\n  The mission of the Enterprise Networks organization is to positively satisfy IRS business units\xe2\x80\x99 requirements by\nproviding all forms of electronic communications in the most efficient and effective manner and by managing the\nday-to-day operations of the telecommunications environment.\n4\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n5\n  Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct\nerrors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n6\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                          Page 3\n\x0c                   The Computer Security Incident Response Center Is Operating\n                     As Intended, Although Some Enhancements Can Be Made\n\n\n\nWe performed our own scanning activities of a portion of the IRS architecture over a\n2-week period. During that period, the sensors inside the IRS network detected and recorded our\nactivities.\n\n\nIncident Response, Recovery, and Reporting Were Effective\n\nIf a hacker, disgruntled employee, or contractor attempts an unauthorized access, or a virus\nenters the IRS internal computer network, the IRS must respond quickly. Once an incident has\nbeen detected, the CSIRC must determine the scope of the incident, determine how best to\ncontain the damage, and develop plans to recover from the incident. The CSIRC is also required\nto report significant incidents to the Treasury Inspector General for Tax Administration (TIGTA)\nOffice of Investigations and the Department of the Treasury CSIRC function.\nAs part of its incident response program, the CSIRC maintains an incident response database to\ntrack an incident from the time it is reported until it is closed. The database includes who\nreported the incident, the point of contact, notes on email and telephone contacts during the\nincident review, corrective actions that were taken and, if necessary, results of any follow-up\ntests.\nThe CSIRC followed procedures, which are based on\nguidance from the Department of the Treasury and the             The CSIRC followed procedures\nNational Institute of Standards and Technology, to 7                 to effectively identify and\neffectively identify and respond to cyber and physical            respond   to cyber and physical\n                                                                         security incidents.\nsecurity incidents. In addition, it properly referred\nsignificant incidents to the TIGTA when necessary,\nassisted in the subsequent investigations, and properly reported results to the Department of the\nTreasury CSIRC function. Between January 1, 2004, and March 3, 2005, the CSIRC recorded\n1,361 incidents in its database, which consisted of:\n    \xe2\x80\xa2   Violations of the IRS\xe2\x80\x99 personal use policies (512).8\n\n\n\n\n7\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n8\n  The IRS\xe2\x80\x99 policy on limited personal use of Government Information Technology equipment/resources defines\nacceptable use of the Internet by IRS employees.\n                                                                                                         Page 4\n\x0c                       The Computer Security Incident Response Center Is Operating\n                         As Intended, Although Some Enhancements Can Be Made\n\n\n\n    \xe2\x80\xa2       Malicious code that turned out to be mainly worms, viruses, and phishing emails (413).9\n    \xe2\x80\xa2       Questionable computer scans of the IRS infrastructure from both internal and external\n            entities (264).\n    \xe2\x80\xa2       Unauthorized access attempts (61).\n    \xe2\x80\xa2       Theft of computer equipment or data (29).\n    \xe2\x80\xa2       Miscellaneous incidents, such as denial of service attempts and noncompliance with\n            security policies (82).\n\n\nInternet Misuse Monitoring Was Effective\n\nThe Internet is an excellent research resource for employees to better perform their jobs.\nProviding access to the Internet for business purposes, however, has also created the opportunity\nfor abusive Internet browsing habits. As a result, the IRS created a policy on limited personal\nuse of electronic communications, which specifically states what an employee can and cannot do\non the Internet. The IRS policy specifically prohibits:\n        \xe2\x80\xa2    Accessing, creating, downloading, viewing, storing, copying, or transmitting sexually\n             explicit material.\n        \xe2\x80\xa2    Creating, downloading, viewing, storing, copying, or transmitting materials related to\n             illegal gambling or any other illegal activity.\n        \xe2\x80\xa2    Using Federal Government equipment/resources for commercial purposes or in support\n             of \xe2\x80\x9cfor profit\xe2\x80\x9d activities or in support of other outside employment or business activity.\nIn June 2003, we issued a report on the IRS Internet policy and employee usage of the Internet.10\nThis report stated that, although the IRS had an Internet usage policy that was comprehensive\nand widely distributed, a substantial number of IRS employees continued to access prohibited\nsites that put IRS computer systems at risk. During a 1-week period almost 6 months after the\npolicy was implemented, over 1 million questionable accesses to web sites were made from\napproximately 19,000 computer addresses. These accesses were linked to seven categories of\n\n\n9\n  A virus is a piece of programming code usually disguised as something else that causes some unexpected and, for\nthe victim, usually undesirable event and which is often designed so it is automatically spread to other computer\nusers. A worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself.\nPhishing is the illegal act of sending an email to a user under the false pretense of being a legitimate enterprise such\nas a bank or online retailer with the intent of having the user disclose his or her account number and/or password.\n10\n   Inappropriate Personal Use of the Internet Jeopardizes the Security and Privacy of Taxpayer Data (Reference\nNumber 2003-20-133, dated June 2003).\n                                                                                                                Page 5\n\x0c                    The Computer Security Incident Response Center Is Operating\n                      As Intended, Although Some Enhancements Can Be Made\n\n\n\nsites specifically listed in the policy as inappropriate: sexually explicit web sites, personal email\naccounts, chat rooms, games, music, instant messaging, and sites from which programs were\ndownloaded.\nThe current CSIRC Internet misuse monitoring program consists of two mechanisms to deter and\ndetect employee Internet violations to the IRS\xe2\x80\x99 policy. First, the CSIRC uses commercial\nsoftware that is designed to block certain Internet accesses from connecting to those web sites\ndeemed inappropriate. Second, the CSIRC reviews Internet access log files to identify\nquestionable Internet accesses that were not blocked by the commercial blocking software. If\nnecessary, these sites are then added to the software\xe2\x80\x99s forbidden site list so they will be blocked\nin the future.\nWhen access to a web site that violates the IRS policy is detected, the CSIRC determines if the\naccess is by a user who is a \xe2\x80\x9cfirst-time violator.\xe2\x80\x9d If so, and the access does not involve sexually\nexplicit web sites or criminal activity, the user will be sent an email explaining the access\nviolated the IRS policy and he or she should not attempt to access the web site again. For\nsexually explicit web sites and possible criminal activity, the user\xe2\x80\x99s Internet activity will be\nreviewed for the prior 3 months. If the access was isolated, the user is treated as a first-time\nviolator and sent a courtesy email. Repeated attempts will result in referrals to appropriate\nauthorities based on the severity of the violations.\nIn Fiscal Year 2004, the CSIRC made 53 referrals. Specifically, these consisted of 34 employees\nreferred to the IRS Human Resources organization for administrative handling, 10 employees\nreferred to the TIGTA for criminal investigation, and 9 contractors referred to the IRS Personnel\nSecurity and Investigations office.11\nThe CSIRC has developed effective procedures and practices to monitor and identify Internet\nmisuse by IRS employees. Because strong controls and procedures exist, we limited our test to a\n1-day sample of employee Internet use and determined that significant Internet misuse did not\nexist.\n\n\nSecurity Patches Were Properly Identified and Evaluated for\nApplicability, but Follow-Up Is Needed to Ensure Patches Are Timely\nInstalled\n\nThe CSIRC is responsible for providing warnings and intelligence information on vulnerabilities,\nthreats, and incidents that affect IRS computers and data. A key component of these duties is to\n\n\n11\n  The mission of the Personnel Security and Investigations office, under the Mission Assurance and Security\nServices organization, is to ensure the employment or retention of employment in the IRS is consistent with the\ninterests of national security, the efficiency of the Federal Government service, and the integrity of the tax system.\n                                                                                                                Page 6\n\x0c                   The Computer Security Incident Response Center Is Operating\n                     As Intended, Although Some Enhancements Can Be Made\n\n\n\nreview security alerts from various industry and vendor sources and determine if related patches\nare applicable to the IRS. Vendors issue patches to fix flaws that become apparent after their\nsoftware has been released to the public. These fixes may be to correct one of the features of the\nprogram or a security weakness not known at the time of the software\xe2\x80\x99s release. The installation\nof patches generally prevents these weaknesses from being exploited.\nThe CSIRC properly identified relevant security alerts and patches applicable to the IRS. To\nidentify security alerts, the CSIRC regularly reviewed web sites maintained by vendors, the\nFederal Government, and security organizations. In addition, the CSIRC is included on mailing\nlists to receive current vulnerability announcements.\nThe CSIRC evaluated the risks affecting the IRS infrastructure and appropriately assigned\nseverity levels for security patches based on the exploit, the software involved, and how widely\nthe software was in use within the IRS. Patches were assigned one of four levels: red (critical\nrisk), orange (high risk), yellow (medium risk), and green (low risk). Each level has its own\ninstallation requirements. For example, a critical patch must be installed within 72 hours.\nAfter the CSIRC evaluates patches for applicability, patches are tested by the Modernization and\nInformation Technology Services (MITS) organization to determine if the installation of the\npatch will adversely affect existing computer operations, such as stopping certain parts of\nprograms from working. If no conflicts are identified, system administrators in the MITS\norganization are notified to install the patches.\nWhile the CSIRC has effectively identified security alerts affecting the IRS, it currently does not\nfollow up to ensure patches are installed. As a result, the IRS has no assurance that even critical\npatches are implemented timely and effectively.\nThe importance of verifying that patches have been installed timely and effectively can be\nillustrated by the SASSER worm12 incident in 2004. On April 13, 2004, Microsoft Corporation\n                                      notified certain customers, including the IRS, of a patch to\n                                      correct the underlying problem exploited by the SASSER\n   The IRS estimated the SASSER\n       worm potentially caused        worm. On that date, the CSIRC issued a critical alert to\n   $50 million of tax assessments     the MITS organization. The MITS organization installed\n      and collections to be lost.     patches to its servers but did not install patches to all\n                                      vulnerable computers, such as employee workstations. By\n                                      May 1, 2004, the SASSER worm was quickly spreading\nacross the Internet. By May 2, 2004, the SASSER worm had penetrated the IRS\xe2\x80\x99 internal\ncomputer network primarily because the patch had not been installed on all applicable\ncomputers. The IRS estimated the SASSER worm outbreak cost the various business units\n\n\n12\n  The SASSER worm exploited a flaw in the Local Security Authority Subservice System on Microsoft Windows\ncomputers and transferred additional exploit code to the computers. It also probed for other computers to infect.\nThis worm rendered computers inoperable.\n                                                                                                           Page 7\n\x0c                 The Computer Security Incident Response Center Is Operating\n                   As Intended, Although Some Enhancements Can Be Made\n\n\n\nseveral million dollars in lost productivity from May 2 through May 10 due to the loss of\nconnectivity caused by the SASSER worm. The IRS also estimated the SASSER worm\npotentially caused $50 million of tax assessments and collections to be lost during this time\nperiod.\nAlthough the CSIRC has the responsibility for identifying security patches that should be\ninstalled, it currently has no authority to verify the patches are installed. The draft patch\nmanagement guidance, dated November 2003, addresses this procedural weakness, as it contains\na requirement stating the CSIRC will implement periodic widespread enterprise network and\nhost vulnerability and security compliance scans to detect and report on deficiencies in the\nsecurity patch management process. However, the draft procedures do not specifically state\nwhen these scans should be performed.\n\n\nRecommendation\nRecommendation 1: The Chief, Mission Assurance and Security Services, should ensure the\ndraft patch management guidance is finalized and include a requirement for the CSIRC to\nconduct vulnerability scans across the IRS enterprise to ensure security patches have been timely\ninstalled. The procedures should require the CSIRC to conduct these scans within an appropriate\ntime period based on the severity level of the security patch.\n       Management\xe2\x80\x99s Response: The Director, CSIRC, will finalize the patch management\n       guidance manual, which includes the requirement that the CSIRC will perform routine\n       and ongoing security assessments to identify systems that have failed to implement\n       patches or correct identified security vulnerabilities, to the extent possible.\n\n\nVulnerability Scanning and Penetration Testing Were Performed, but\nFollow-Up Was Not Always Conducted\n\nThe CSIRC conducts scans and penetration tests on IRS computers to find and reduce\nexploitable vulnerabilities. Scanning consists of using automated tools to review the computer\nresources on the internal network for known vulnerabilities. The automated tools usually target\nspecific computers on the network with the full knowledge of the users. Penetration testing is\nsimilar to scanning but is usually done from an external perspective (e.g., a hacker attempting to\nattack the perimeter of an organization) without the full knowledge of the users.\n\n\n\n\n                                                                                            Page 8\n\x0c                   The Computer Security Incident Response Center Is Operating\n                     As Intended, Although Some Enhancements Can Be Made\n\n\n\nThe FISMA requires agencies to prepare Plans of Action and Milestones (POA&M)13 for\nsecurity weaknesses at the program and system levels. The POA&Ms are to be updated as new\nvulnerabilities are identified regardless of how the vulnerabilities were identified (e.g., an\ninternal security review, business unit self-assessments, or an external security audit).\nScanning and penetration testing efforts were largely conducted on an ad hoc basis, when\nrequested by the business units. During Calendar Year 2004, the CSIRC conducted\n17 vulnerability scans and 2 penetration tests. We reviewed 13 of the scans and the 2 tests and\ndetermined the CSIRC had identified significant security weaknesses on the systems reviewed.\nSecurity weaknesses from these scans included 11 incidents involving authentication controls\nand 15 different types of vulnerabilities (316 incidents) that can be exploited to render the\ncomputer useless or to run malicious commands to take over control of the computer.\nThe CSIRC shared its results with the requesting office, although this was done on an informal\nbasis. Generally, the person conducting the scan provided the results to the point of contact\nwithin the requesting office. There was no assurance that the head of the requesting office\nreceived the results of the scans or knew what the results were.\nIn addition, the CSIRC did not always follow up to determine if the vulnerabilities identified had\nbeen corrected. Follow-up reviews were conducted only\nwhen requested by the business units. CSIRC officials            The CSIRC did not always\ncited a lack of staffing as the main reason for not being         follow up to determine if\nable to follow up with requesting offices. We contacted         vulnerabilities identified had\nseveral of the individuals who had requested the                       been  corrected.\nvulnerability scanning to determine the actions taken to\naddress weaknesses identified. They indicated the results\nwere disseminated down to the local managers for corrective actions, but the POA&Ms were not\nupdated with the vulnerabilities identified by the CSIRC. The business units we contacted stated\nthe problems were local and not national and, therefore, should not be added to the POA&Ms.\nWe disagree with this rationale since the FISMA clearly requires all security weaknesses to be\nincluded in the POA&Ms for accountability and resolution purposes.\nBy not formally sharing results of tests with the heads of office, documenting results in\nPOA&Ms, and following up, the IRS is not assured that identified vulnerabilities have been\ncorrected or sufficiently mitigated.\n\n\n\n\n13\n  A POA&M is a tool that identifies tasks that need to be accomplished and includes documenting resources\nrequired to accomplish the element of the plan, any milestones in meeting the tasks, and scheduled completion dates\nfor the milestones. The purpose of POA&Ms is to assist agencies in identifying, assessing, prioritizing, and\nmonitoring the progress of corrective efforts for security weaknesses found in programs and systems.\n                                                                                                           Page 9\n\x0c                 The Computer Security Incident Response Center Is Operating\n                   As Intended, Although Some Enhancements Can Be Made\n\n\n\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should:\n\nRecommendation 2: Require the CSIRC to formally provide scanning and penetration\ntesting results to the business units in the form of a memorandum from the Office of the Chief,\nMission Assurance and Security Services, to the Executive in charge of the requesting office.\n       Management\xe2\x80\x99s Response: The Director, CSIRC, will document the findings from\n       vulnerability assessments and penetration tests in a memorandum to the respective\n       FISMA project office via the Executive in charge.\nRecommendation 3: Ensure the business units document results and planned corrective\nactions from vulnerability scans and penetration tests in the POA&Ms, as required by the\nFISMA.\n       Management\xe2\x80\x99s Response: The Director, CSIRC, will ensure all findings yielded\n       from vulnerability assessments are documented and referred to the appropriate FISMA\n       project office within the respective business units. The FISMA project office will accept\n       and document the report findings for tracking corrective actions.\nRecommendation 4: Require the CSIRC or another office to follow up on high-risk\nvulnerabilities identified from scanning and penetration testing to ensure vulnerabilities are\ncorrected or properly reduced.\n       Management\xe2\x80\x99s Response: The Chief, Mission Assurance and Security Services, will\n       ensure the business units\xe2\x80\x99 FISMA project offices monitor, track, and report on findings\n       from vulnerability assessments through closure. Upon notification from the FISMA\n       project office of closure, the CSIRC will re-run scans and penetration tests to ensure\n       vulnerabilities were effectively reduced.\n\n\n\n\n                                                                                            Page 10\n\x0c                   The Computer Security Incident Response Center Is Operating\n                     As Intended, Although Some Enhancements Can Be Made\n\n\n\n                                                                                             Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the effectiveness of the Internal Revenue\nService\xe2\x80\x99s (IRS) Computer Security Incident Response Center (CSIRC) at preventing, detecting,\nand responding to computer security incidents targeting IRS computers and data. To accomplish\nthis objective, we:\nI.      Evaluated the security provided by the firewalls maintained by the CSIRC.\n        A. Reviewed the configurations of a judgmental sample of 13 firewalls from the\n           67 firewalls installed on the IRS infrastructure. The sample selected was\n           representative of the firewalls installed, the Computing Centers1 where they were\n           located, and the connection points being protected. A judgmental sample was used\n           because we were not planning to project the results.\n        B. Reviewed a random sample of 28 firewall configuration change management requests\n           made between January 1, 2004, and February 28, 2005. During this period, we found\n           373 change management requests.\n        C. Reviewed the process to accumulate and review the logs generated by the firewalls.\nII.     Evaluated the effectiveness of intrusion detection systems operations.\n        A. Reviewed the configurations of a judgmental sample of 10 intrusion detection sensors\n           from the 67 sensors installed on the IRS infrastructure. The sample selected was\n           representative of the types of sensors installed, where they were located, and the\n           connection points being protected. A judgmental sample was used because we were\n           not planning to project the results.\n        B. Reviewed how the intrusion detection sensors were deployed within the IRS.\n        C. Reviewed all 68 intrusion detection change requests made from January 2004 through\n           February 2005.\n        D. Scanned the IRS network from April 20, 2005, to May 2, 2005, and verified with the\n           CSIRC that this scanning activity was identified and logged.\n\n\n\n\n1\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n\n                                                                                                     Page 11\n\x0c                The Computer Security Incident Response Center Is Operating\n                  As Intended, Although Some Enhancements Can Be Made\n\n\n\nIII.   Evaluated the adequacy of the incident response and recovery actions.\n       A. Evaluated the processes and procedures for determining the nature of incidents, the\n          containment of the incidents, remediation of the issues or causes, recovery or\n          reconstitution of the systems for return to operational status, and education of\n          personnel on lessons learned.\n       B. Identified 1,361 incidents reported on the CSIRC\xe2\x80\x99s incident response database\n          between January 1, 2004, and March 3, 2005, and categorized the incidents by\n          incident type.\n       C. Reviewed the reports from 12 incidents, including postmortem reports and reports to\n          IRS management, the Department of the Treasury, and the Treasury Inspector\n          General for Tax Administration (TIGTA).\nIV.    Evaluated the effectiveness of the security alert and patch process.\n       A. Evaluated the sources used to generate alerts, the process for determining their\n          criticality, and the processes for issuing alerts and any follow-up regarding\n          corrections based on the alerts.\n       B. Reviewed the 44 alerts for Microsoft Windows issued by the IRS during Fiscal\n          Year 2004 and compared them to the related Microsoft Corporation security bulletins\n          to ensure the alerts were coded correctly for their level of criticality.\nV.     Evaluated the effectiveness of the vulnerability scans and penetration tests conducted by\n       the CSIRC.\n       A. Ascertained that 17 vulnerability scans and 2 penetration tests were performed during\n          Calendar Year 2004.\n       B. Reviewed the results of 13 of the 17 vulnerability scans and the 2 penetration tests\n          and determined what security vulnerabilities were identified, to whom the results\n          were reported, and if follow-up scans were performed. Due to time constraints, we\n          did not evaluate four of the scans.\nVI.    Evaluated the adequacy of the Internet usage log file reviews.\n       A. Reviewed the procedures for monitoring Internet usage by employees and contractors\n          and for referring inappropriate Internet accesses to IRS management and the TIGTA.\n       B. Reviewed a random sample of 384 Internet firewall log entries from the\n          1,671,452 log entries for transactions of 5,000 bytes or more that went through the\n          Martinsburg Computing Center Internet firewall on March 23, 2005. The sample was\n          selected through interval selection.\n\n\n\n\n                                                                                             Page 12\n\x0c                The Computer Security Incident Response Center Is Operating\n                  As Intended, Although Some Enhancements Can Be Made\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nDavid Brown, Senior Auditor\nWilliam Lessa, Senior Auditor\nLarry Reimer, Senior Auditor\nEsther Wilson, Senior Auditor\n\n\n\n\n                                                                                         Page 13\n\x0c               The Computer Security Incident Response Center Is Operating\n                 As Intended, Although Some Enhancements Can Be Made\n\n\n\n                                                                           Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Assurance Programs OS:MA:AP\nDeputy Director, Information Technology Security Program Office OS:MA:AP\nChief, Computer Security Incident Response Center OS:MA:AP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaison: Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                                 Page 14\n\x0c    The Computer Security Incident Response Center Is Operating\n      As Intended, Although Some Enhancements Can Be Made\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 15\n\x0cThe Computer Security Incident Response Center Is Operating\n  As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                                       Page 16\n\x0cThe Computer Security Incident Response Center Is Operating\n  As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                                       Page 17\n\x0cThe Computer Security Incident Response Center Is Operating\n  As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                                       Page 18\n\x0cThe Computer Security Incident Response Center Is Operating\n  As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                                       Page 19\n\x0cThe Computer Security Incident Response Center Is Operating\n  As Intended, Although Some Enhancements Can Be Made\n\n\n\n\n                                                       Page 20\n\x0c'